A new feature to fix DRUPAL-PSA-2016-003 security issue.
Notify on site status report page if insecure webforms are found. Webforms should be considered insecure if anonymous users are allowed to submit files using public scheme.
Comment | File | Size | Author |
---|---|---|---|
#7 | warn_admin_users_on-2816405-7.patch | 3.96 KB | vinmassaro |
| |||
#5 | webform-security_report-2816405-5.patch | 1.65 KB | ilari.stenroth |
|
Comments
Comment #2
ilari.stenroth CreditAttribution: ilari.stenroth at Exove commentedHere's a patch to implement the feature.
Comment #3
ilari.stenroth CreditAttribution: ilari.stenroth at Exove commentedComment #4
ilari.stenroth CreditAttribution: ilari.stenroth at Exove commentedComment #5
ilari.stenroth CreditAttribution: ilari.stenroth at Exove commentedNew revision of the patch. Now counts correctly insecure webforms.
Comment #6
vinmassaro CreditAttribution: vinmassaro commented@ilari.stenroth: thanks for this patch - I'm modifying it slightly to add links to the problem webforms. New patch coming shortly.
Comment #7
vinmassaro CreditAttribution: vinmassaro commentedHere is a new patch that combines my additions with the patch from #5. It adds a list of problem webforms with links to each so they can be more easily edited. This is very helpful for a site with a lot of webforms.
Comment #8
DanChadwick CreditAttribution: DanChadwick commentedDifficulties with this approach:
1) There may well be authenticated-but-untrusted users.
2) Webform API functions alter submission creation and edit access, making it difficult or impossible to know if a particular user can upload a file and is also untrusted.
3) Some sites have a huge number of webforms, which will cause this to time-out.